From Dakar in Senegal to Astana in Kazakhstan, the same scheme repeats itself: Facebook pages pretending to be local public transportation services offer travel cards at very low prices. That’s how the scam begins. The real goal is to lead users to phishing websites in order to steal their credit card information. We identified 1,075 pages replicating this scam between July 2024 and July 2025 across 746 cities and regions in 60 different countries.
Not only the reach of this scam is global, its structure is as well. According to data provided by Meta, more than half of the administrators are believed to be located in Vietnam, while the majority of the promoted domains are hosted on just two IP addresses from the same provider in Russia.
In this scam, Meta’s own advertising system plays a key role. Even though these pages generally have few followers, many managed to massively spread their phishing posts thanks to more than 9,000 paid ads on Facebook and Instagram. Although Meta removed at least one ad on 55% of these pages for violating advertising rules, all of the pages were still publicly accessible at the time the data was collected (July 2025), even months after their initial activity.
An international structure for scamming
Beyond the content of the promoted posts, Meta had other warning signs indicating this wasn’t an isolated case but rather coordinated networks that could have been acted upon. Nearly one in five pages changed names at some point, and many were recycled to offer supposed transportation services in different cities. For example, one page initially posed as the public transport agency of Le Havre (France), but later transformed into the supposed transport company of Peterborough, United Kingdom.
Additionally, other pages followed repetitive naming patterns before being activated for the scam.
This scam isn’t international just because it affects 60 countries, but also because the structure of those carrying it out seems to be spread across the globe. Meta provides location data for the administrators of many of these fraudulent pages that pretend to offer local transport services, but in only one case does the administrator’s location match the country claimed by the page. On the contrary, there are cases like the supposed public transportation system of Brighton, UK, which is managed by two administrators based in Thailand and Vietnam.
Of the 515 administrators whose location Meta provides, more than half are in Vietnam. The next most common countries are Ukraine, Bangladesh, and the United States.
Although only seven of the administrators with available location data (1.3%) are in European Union countries, 68% of the fraudulent pages impersonate public transportation services that are located within the EU. The countries with the highest number of detected pages were France, Spain, the United Kingdom, and Italy. Barcelona was the most affected city in the world, with more than 20 different pages attempting to impersonate its public transport service.
Back in June, we reported 58 fraudulent Facebook pages to Meta that had promoted their scams through ads in Spain. We used the reporting mechanisms established by the European Union’s Digital Services Act (DSA), but a week later, 93% of those pages were still active.
A similar trend of a European focus exists in the use of Meta’s own ad platforms to promote the scam. Of the more than 9,100 ads these pages ran, only 20 were in non-European countries, according to Meta’s ad repository.
Domains based in Russia
According to Meta's information, the fraudulent pages are operated from over 30 different countries, with Vietnam appearing most frequently. But when analyzing the links promoted in these posts, another key country emerges: Russia.
The goal of these pages is to get people to click on a link that leads to a website where users are asked to enter their credit card number, supposedly to pay for a discounted transport pass. Based on our analysis, more than half of these Facebook pages link to domains hosted on just two IP addresses, both belonging to the same provider in Russia.
590 of the 1,075 detected Facebook pages involved in the scam promoted links to domains hosted by the same Russian provider, JSC Selectel, sharing the same server across two IP addresses and DNS registration. When combined with the fact that the content was almost identical, just adapted to each targeted city, and that the ads followed the same promotion patterns, this suggests that the pages may have been managed by the same person or organization.
An investigation with international support
After uncovering the fraud in 47 Spanish cities, fact-checking organizations from around the world contacted Maldita.es to report that they had identified the same scam in their own countries. We thank our colleagues from the European Fact-Checking Standards Network (EFCSN) and the International Fact-Checking Network (IFCN) for their collaboration, especially Facta.News and Open.online (Italy), DPA (Germany), Faktograf and Lupa (Croatia), Teyit (Turkey), Fact Review and Ellinika Hoaxes (Greece), Vistinomer.mk (North Macedonia), Raskrinkavanje (Bosnia and Herzegovina), Myth Detector and Geofacts (Georgia), Factcheck.bg (Bulgaria), Raskrinkavanje (Montenegro), CongoCheck (Congo)m and Sure And Share Center MCOT (Thailand).